De-obfuscating a botnet infection

Last night I was working on a PHP website for a client when I stumbled upon this line of code whitespaced way off the screen on the first line of a few of our files: https://gist.github.com/ryepdx/5016290

That looked pretty suspicious to me, so I googled “$GLOBALS[‘QQOO’]” and the only result that came up was this Pastebin: http://pastebin.com/71nwAsj6

Definitely didn’t like the look of that, so I grepped the rest of our files and found the same code embedded in the same way on four more files. I removed it from all of them, re-uploaded the cleaned files, and got to work figuring out what this code was doing.

Building a web crawler for extracting GPS data from JPGs (part 3)

At this point things are going to pick up a bit. I wrote a Python class to handle reading GPS data from a JPEG using what I learned from walking through the file with the EXIF spec and the Fetid Cascade example at hand. I’ve posted the Python class on GitHub as part of the gps-exif-webcrawler repository I started for this project. I haven’t had as much time to spend honing my Python skills as I used to have, so there are probably a few things about it that could stand some tightening up. (If you see anything, please drop me a line. I’m always interested in improving the quality of my code.)

Building a web crawler for extracting GPS data from JPGs (part 2)

Recap:

>>> f = open("gps_exif.jpg", "rb")
>>> f.seek(20)
>>> f.read(10)
'\xff\xe1#\x86Exif\x00\x00'

 Big-endian, little-endian:

The endianness of the JPEG is determined by the four bytes following the APP1 opening headers. ‘II\x2a\x00’ stands for Intel, whose CPUs are little-endian, and ‘MM\x00\x2a’ stands for Motorola, whose 680×0 CPUs are big-endian. (Source)

>>> f.read(4)
'MM\x00*'

Awesome, we have a big-endian file on our hands. So the higher-order byte will come first in this encoding. Concretely, this means that the number 256 will be encoded as ‘\x01\x00’ instead of ‘\x00\x10’ (as it would be in little-endian encoding).

Setting up Python 2.7 and PyPI (pip) on an iPod Touch

I just wanted to harvest tweets over a period of about a month or two, but I didn’t want to pay for all that processor time on an EC2 instance. I tried running my Python script on my shared hosting account, but the admins kept killing the ‘screen’ containing it. I would have used my desktop computer, but I can’t sleep with it on. And my laptop couldn’t provide the uptime I needed.

First thought: Raspberry Pi. But getting one looked like a rather lengthy process, and I didn’t want to have to wait weeks or months to proceed with my project.

Prolog in Python (pt. 2)

Note: I’ve uploaded a basic barebones project based on this series to a GitHub repository for your convenience.

Last time we figured out how to use SWI-Prolog routines in Python. Now we will learn how to connect SWI-Prolog to MySQL and use it to extend Prolog’s built-in database.

Connecting and Disconnecting

The odbc_connect predicate will connect you to your MySQL database. Here I encapsulate it in another predicate for ease of use throughout the rest of my code.

connect :- odbc_connect('mysql.your_database_name', _,
[ user(your_username),
alias(database_symbol),
password(your_password),
open(once)
]).

Getting the Compaq nx6125 Broadcom Wireless card to work in Ubuntu 11.10

I remember trying to get Ubuntu to work on my Compaq nx6125 my freshman year of college. The first and biggest hurdle was getting the wireless card to work. Recently, after a few OS changes, I decided to go back to Ubuntu for that machine. Imagine my dismay when I discovered the documentation on the process hadn’t changed much since my freshman year! Fortunately with a little digging I was able to find a much simpler process. If you’re trying to get your Broadcom card to work in Ubuntu 11.10 (and possibly earlier versions, for all I know), simply run:

Building Opa in 32-bit Ubuntu 11.10

Heard of Opa? It’s a full web app stack by MLstate. It focuses on allowing developers to create highly scalable, highly interactive, rich web applications as easily as possible.

Here’s “Hello World” in Opa:
server = Server.one_page_server("Hello", ( -> <>Hello web</>))

And here’s a chat room in 20 ELOC:
import stdlib.themes.bootstrap

type message = {author: string /**The name of the author (arbitrary string)*/
; text: string /**Content entered by the user*/}

@publish room = Network.cloud("room"): Network.network(message)

user_update(x: message) =
line =
<div class="row line">
<div class="span2 columns user">{x.author}:</div>
<div class="span13 columns message">{x.text}</div>
</div>
do Dom.transform([#conversation +Dom.scroll_to_bottom(#conversation)

Prolog in Python (pt. 1)

I’ve recently become enamored with the idea of querying a Prolog program with a MySQL database backend from a Python script. Specifically I want to create a Django web app that will allow a user to ask for the price of a thing in terms of anything else. Prolog seems like an excellent choice for the value-finding engine as value-finding in this case will mostly consist of finding a path of trade between two things. For example, in order to find the price of apples in terms of bananas, the value finding engine will first query its database to see if it already knows that off-hand. If it doesn’t, it then has to see what it does know about the price of apples and then see if anything it can trade apples for can then be traded for bananas. It has to keep branching out until it finally hits bananas.